Microsoft Security Risk Detection, a new Azure-hosted “whitebox fuzzing” service, is ready to ship to customers after several months of external testing. It will be generally available later this summer.
Previously codenamed Project Springfield, Microsoft Security Risk Detection (MSRD) began life inside Microsoft Research over ten years. It was designed to seek out the vulnerabilities in Microsoft’s software that hackers would later try to find and exploit so that the software giant could fix them preemptively. It was battle-tested by the Windows team and other groups within Microsoft. And now, with Satya Nadella’s rise to CEO, it has matured from an internal tool to a shipping product.
Microsoft first announced MSRD at Ignite 2016 last September, when it asked for external help testing the service. Over 11,000 potential testers signed up during the week of Ignite alone, I was told, and Microsoft selected an unknown number of select customers—DocuSign, OSIsoft, and Deschutes Brewing among them—for real-world testing.
MSRD works like an automated “super debugger,” project lead David Molnar told me this week, examining software binaries as they run and probing for vulnerabilities. This means that it doesn’t need source code access, which makes it safe for customers to deploy from the public cloud. And because it is a public cloud service, MSRD doesn’t require developers to have any particular security expertise.
Molnar said that MSRD contains two big breakthroughs. The super debugger provides time travel-like benefits that help organizations step back through running code and find out where and when vulnerabilities were exploitable. And it utilizes constraint solving AI routines to more efficiently determine the correct path for its probes. By comparison, hackers typically use brute force, randomized attacks that are far less efficient.
At a high level, MSRD “reads the mind and sees into the soul of the running program,” Molnar said.
MSRD will be expanded to other public clouds in the future—think Azure Stack—and Microsoft plans to add Linux software scanning in the near future as well. You can sign-up for the Linux preview now.
“Linux is a priority for our customers because they run mission critical software on that platform,” Mr. Molnar noted. “These systems have to stay up, so anything that crashes is a much bigger issue.”